Cybersecurity researchers have uncovered a critical security flaw affecting the GNU InetUtils Telnet daemon (telnetd). This flaw could be exploited by an unauthenticated, remote attacker to execute arbitrary code with elevated privileges.
This vulnerability is tracked as CVE-2026-32746 and has a CVSS score of 9.8 out of 10.0. This is described as a case where an out-of-bounds write in the LINEMODE Set Local Character (SLC) suboption handler causes a buffer overflow, ultimately paving the way for code execution.
Israeli cybersecurity firm Dream, which discovered and reported the flaw on March 11, 2026, said the flaw affects all versions of the Telnet service implementation up to 2.7. A fix for this vulnerability is expected to be available by April 1, 2026.
“An unauthenticated, remote attacker could exploit this by sending a specially crafted message during the initial connection handshake, before the login prompt appears,” Dream said in the alert. “A successful exploit could allow remote code execution as root.”
“A single network connection to port 23 is sufficient to trigger this vulnerability; no credentials, user interaction, or special network location are required.”
According to Dream, the SLC handler handles option negotiation during the Telnet protocol handshake. However, because the vulnerability can be triggered before authentication, an attacker could weaponize the vulnerability immediately after establishing a connection by sending a specially crafted protocol message.
If telnetd is running with root privileges, a successful exploit could lead to a complete system compromise. This could open the door to a variety of post-exploitation actions, including deployment of persistent backdoors, data exfiltration, and lateral movement using the compromised host as a pivot point.
According to Adiel Sol, security researcher at Dream, “An unauthenticated attacker could trigger this vulnerability by connecting to port 23 and sending a crafted SLC suboption containing a large number of triplets.”
“No login is required. This bug occurs during option negotiation before the login prompt. An overflow can corrupt memory and turn into arbitrary writes. In practice, this could lead to remote code execution. Because telnetd typically runs as root (e.g., under inetd or xinetd), a successful exploit could give the attacker complete control of the system.”
In the absence of a fix, we recommend isolating Telnet access by disabling services when not needed, running telnetd without root privileges if necessary, and restricting access by blocking port 23 at the network perimeter and host-based firewall level.
This disclosure comes nearly two months after another critical security flaw was disclosed in GNU InetUtils telnetd (CVE-2026-24061, CVSS score: 9.8). This flaw could be exploited to gain root access to the target system. According to the U.S. Cybersecurity and Infrastructure Security Agency, the vulnerability has since been exploited in the wild.
Source link
